内容生成技能包
PassAudited by ClawScan on May 10, 2026.
Overview
The visible skill is a content-writing prompt package, but it asks for a Brave API key and installs or declares extra tools that users should understand before use.
This appears to be a benign content-generation skill. Before installing, check why it needs BRAVE_API_KEY, curl, jq, git, and axios, and verify the package identity because the registry metadata and included _meta.json do not fully match.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may use your Brave API key and quota while producing researched content.
The skill requires a provider API key. This is plausibly related to research or fact checking, but the visible instructions do not explain exactly when the key is used or what data is sent.
requires:\n bins: ["curl", "jq", "git"]\n env: ["BRAVE_API_KEY"]
Use a limited or dedicated Brave API key if possible, monitor usage, and avoid installing if you do not want the skill to perform web-search-backed research.
Installing the skill may add a third-party npm dependency that is not clearly needed for the visible workflow.
The skill installs an unpinned npm package even though the provided artifacts contain no code files that use it. This is disclosed, but it is an unnecessary or unexplained dependency for a prompt-only content skill.
node | package: axios | creates binaries: axios
Verify that the axios dependency is intentional and from the expected npm package before installing.
The package identity is not fully consistent across the provided artifacts, so it may be harder to confirm provenance.
The included _meta.json identity differs from the supplied registry metadata, which lists a different owner ID and slug. This is a provenance/coherence issue, not evidence of malicious behavior by itself.
"ownerId": "kn79yq0mt59bnzdp29kfgxsk0181j3b1", "slug": "content-generation"
Confirm that the registry entry and packaged metadata refer to the same intended skill before trusting updates or dependencies.